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FOREWORD This Indian Standard (First Revision) was adopted by the Bureau of Indian Standards, after the draft finalized by the Nuclear Instrumentation Sectional Committee had been approved by the Electronics and Telecommunication Department. The use of process computers with nuclear reactor units has become general. Widespread use is made of computers as a means of enhancing conventional instrumentation and control such as start-up checks of the reactor, surveillance of parameters against alarm limit, closed loop control and expert systems for operators guidance. The data acquisition systems are networked for sharing of information for operator guidance and control applications. The assignment of tasks vital to plant operation to computer systems requires careful consideration of the factors affecting availability and reliability, when determining the system configuration. This standard will be of interest to the managers of nuclear power plants as well as the manufacturers and suppliers of the computer systems used by them. This standard was earlier published in 1989 and was identical to IEC 643 (1979). `Ilk revision has been undertaken keeping in view the advancement of technology and changed indigenous requirements. For the preparation of this standard, assistance has been derived horn IEC 60643 (1979) `Application of digital computers to nuclear reactor instrumentation and control' and IEC 61226 (1993) `Nuclear power plants -- Instrumentation and control systems important for safety -- Classification', issued by the International Electrotechnical Commission (IEC). The composition of the Committee responsible for formulation of this standard is given in Annex A.
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Indian Standard APPLICATION OF COMPUTERS TO NUCLEAR REACTOR INSTRUMENTATION AND CONTROL (First Revision)
1 SCOPE 1.1 This standard specifies the principles that should be followed in the use of digital computers for alarm, instrumentation, record control and equipment protection purposes including expert systems on nuclear reactor units. This standard serves as a guidance to the application of digital computer systems. 1.2 This standard applies to all on-line applications of digital process computer systems to nuclear reactors and to off-line applications immediately associated with the on-line system, such as would normally use the same equipment. The recommendations are based on recognized practice in the process computer field and are functional in nature. These recommendations are not intended to affect the obligations that a supplier of equipment, services or programmed may have for satisfactory performance in any specific application. General recommendations are given for the application of such systems, for the equipment and programmed and for performance and maintenance. 2 TERMINOLOGY For the purpose of this standard, definitions shall apply. the following the computer system is capable of performing specified functions. all

2.7 Reliability -- The probability that an item will perform a required tlmction under stated conditions for a stated period of time. 2.8 Redundancy -- The existence of more than one means of performing a given timction. 2.9 Digitized Signal -- A coded signal hold in binary form, whose information is equivalent to an analogue signal at a discrete time. 2.10 On-Line -- The mode of operation of the computer system in which the input data used by the programme being performed is acquired in real time from the process plant to represent its current state. An output function is usually available when the system is on-line. 2.11 Off-Line -- The mode of operation of the computer system in which the input data used by the programme being performed is independent of the current state of the process plant. 3 APPLICATION CLASSES

2.1 Digital Computer System, Computer System -- An equipment consisting of CPUs, storage units, inputi output, communication units, computer programmed, but not including the measurement transducers or actuators. 2.2 Nuclear Power Plant -- All that plant including the nuclear reactor and its protection systems, coolant systems and electrical supplies which is necessary for the generation of electricity, or the generation of thermal power. 2.3 Analogue Signal -- A time-continuous signal whose amplitude is directly related to the information conveyed by the signal. 2.4 Binary Signal -- A two-state signal. 2.5 Computer Log, Log -- A pre-specified legible record of nuclear power plant conditions made by the computer system on demand or automatically, in permanent form. 2.6 Availability -- The proportion of time for which 1

3.1 The tasks assigned to the digital computer system are grouped into three application classes related to nuclear power plant operational requirements. Consequently, these three classes have varying requirements for availability, redundancy reliability and functional requirements of the associated computer system (see 6). 3.1.1 Class M Systems dedicated to performing safety critical functions for reactor protection such as supervision of reactor core against excess reactivity, flow blockage, protection logic and so on. 3.1.2 Class IB System that play a complimentary role to the Class IA systems in performing safety critical function for reactor protection such as reactor power regulation, on-line testing of Class IA systems, moderator level controls, reactor start-up checks, fuel handling control, interlocks, primary coolant pressure or flow control.

IS 12772:2003 3.1.3 Class K Systems dedicated to acquisition of plant data and display of information towards enhancing the plant operation and safety are classified as Class IC. Failure of class IC systems may result in a degradation of overall nuclear power plant performance but will not have direct safety implications. These systems are not directly involved in mitigating the physical consequences of a postulated initiating event (PIE). Examples: On-line expert systems for operator guidance, graphic user interface (GUI)\ystems (history trend, mimic display, bar chart display), process disturbance analyzer, events sequence recorder, and on-line computational systems such as thermal balance, reactivity balance, etc. 4 DETERMINATION OF APPLICATION CLASS implementation of control algorithms. Sequential operation of nuclear power plant in association with start-up, shutdown or otherwise. control Sequential operation to instrumentation systems such as, for example, burst can detection, or neutron fluence rate scanning. Control of fuel handling operation. Derivation of significant alarms by signal processing and analysis. Detection of alarm states from analogue signals and binary signals. Logging of nuclear power plant operational states. Derivation of nuclear power plant operational information by calculations, of data relating to the operation of the installation used for instrumentation and for physics assessments, for records, or for licensing purposes. Special display or recording methods for indication of histories, trends, reactor conditions, complex nuclear power plant conditions or configurations. Recording of alarm states as logs. Display of nuclear power plant signal states and values, to allow or aid correct operation. Data acquisition and analysis of alarms detected and of alarms existing to allow or aid correct operation (expert systems).

f)

g)

h) 0 k) m) n)

4.1 Where a nuclear power plant operational function is to be performed by a computer system, the application class shall be determined, in order to determine the redundancy and reliability of equipment needed, This can be done by considering the consequences of operation on short-term or long-term loss of that function. Where a nuclear power plant operational function is considered as a possible computer task, the computer application class that is thereby required shall be considered carefully. This consideration should take account of alternative or standby equipment needed, together with economic, technical and safety factors. 4.2 Factors in determining the application class also depend upon the importance of information required by different agencies such as operational, maintenance and managerial staff. 5 COMPUTER FUNCTIONS

P)

@ r) s)

6 AVAILABILITY AND RELIABILITY 6.1 General 6.1.1 Where the system design is such that degraded performance results from failure of a system element, availability of each function can be calculated from the total time during which each function was performed or was available for performance. 6.1.2 Availability of a function is dependent on the reliability of the devices used to perform the function. Redundant devices can be used to increase reliability. Care should be taken that additional monitoring, switching or other equipment needed to use redundant devices does not in fact reduce the overall availability of the fi.mction. The reliability of the power supply sources for the computer system shall be appropriate to the application classes of the functions performed. 6.2 Reliability Requirements 6.2.0 General Reliability requirements should be commensurate with 2

5.1 The tasks which can be performed by on-line computers in association with nuclear power plant include: a) Functions where nuclear power plant conditions are monitored and nuclear power plant trips or other action taken for equipment safety or availability. Automatic testing of control or equipme,lt protection system or reactor protection system functions. On-line determination of margins to trip and status of nuclear power plant for evaluation by the operators. Interlock functions where nuclear power plant conditions are monitored and adverse operator action prevented directly. Control of nuclear power plant operation by

b)

c)

d)

e)

IS 12772:2003 the criticality of the functions performed by the computer based system. Quantitative reliabiiit y target or on demand failure probability, as appropriate shall be specified for computer based system. Similarly spurious failure probability and availability shall be specified using appropriate quantitative metric. 6.2.1 Class IA For Class 1A application, no single fault should lead to complete loss of computer functions. These systems shall be built to achieve high reliability figures. Redundant and/or diverse, system configurations may be adopted to achieve the desired reliability figures. The reliability requirement of this Class of systems is one order higher than the reliability requirement of Class IB systems. 6.2.2 Class IB For Class lB applications, no single fault should lead to complete loss of the computer functions. The system configuration necessary to fulfil this requirement entails the use of redundant components and systems. 6.2.3 Class [C For Class IC applications, single fault may cause a partial loss of computer system facilities or total loss in the case of certain defined faults. A typical computer system, providing the normal source of alarms and of data and providing extensive logs, monitoring and display, with limited sequential control, and with minimum back-up instrumentation including operational aid can be expected to meet the required reliability for Class IC. 6.3 When designing the computer system due consideration should be given to the choice of reliable equipment to assure an adequate mean time between failures (MTBF) and to the provision of means for rapid fault detection. Design shall consider use of modularity so as to enable ease of identification and replacement of faulty modules without compromising security. 6.4 The reliability of power supply sources for the computer system shall be appropriate to the application clauses of the functions performed. 7 GENERAL FACTORS 7.1 System Functions 7.1.1 A computer system may provide control and information functions for the nuclear power plant operators. These functions and the display units, printers and controls over the computer system operations should be filly integrated into the control room design and nuclear power plant operational concepts. 3 7.2 Computer System Equipment 7.2.1 The planning of computer system should consider its location, electrical supplies and operating environment (such as climatic conditions, radiation level, vibration and so on). The design of the computer system equipment should take account of the different types of station instrumentation and alarm signals, It should account for any electrical interferences likely to exist. 7.2.2 Design should allow for input signal scanning rates compatible with the behaviour of the nuclear power plant. It should take care of signal types, ranges, desired accuracy and interfaces of the systems. The computers storage systems and connectivities should have response times appropriate to the functions to be performed. 7.2.3 Design should also take into account requirements of access to the systems (access to hardware or software) and ensure that access is granted as per needs of persons and at different level namely, operator, supervisor, maintenance personnel, etc, through secure means such as hardware key interlocks andlor passwords. 7.2.4 The staffing for operation and for maintenance, the availability of spare modules and the repair of faults should be considered. 7.2.5 Where printout equipment is used, it should be suitably sound-proofed or placed in a separate room or enclosure. 7.2.6 Design should also take into account requirements of access to the systems (access to hardware or software) and ensure that access is granted as per needs of persons and at different level, namely operator, supervisor,, maintenance personnel etc, through secure means such as hardware key interlocks andlor passwords. 7.3 System State Indication All computer based systems should be time synchronized with the help of a station master clock. The nuclear power plant operators should have direct indication of the operational condition of the computer system. Alarms should be provided on major failure of the computer and the computer itself should provide alarm information on failure within the computer system units. The computer record of time and data should be available for post incidence analysis. 7.4 Operator Control of Computer Functions 7.4.1 The nuclear power plant operators should have simple direct controls over the computer on-line operation. Push button controls, keyboards, mouse, touch screen display, numerical code selection, etc,

1S 12772:2003 may be used. Direct push button or switch actions close to display units should be used to control alarm and data displays. An index of displays should be available to the operator. 7.4.2 An acknowledgment signal should be provided by the computer within a stipulated time when the operators request a function. A signal should be provided when a function is completed. 7.4.3 Where monitoring, control or equipment protection functions are involved, alterations of settings and controls for operation or for equipment protection system use shall have locks or appropriate administrative control over their use. On demand, the printout or display of settings shall be available. 7.4.4 The response time for a request for a display should be adequate for the application. Displays should include alternating or changing marks to indicate conditions such as, trip messages and trip clear messages of parameters (messages shall b6 in distinctive colours). 7.5 System Operation 7.5.1 The detailed aspects of system operation should be appropriate to the application class. Facilities are required to load, initiate, start, stop and restart the programme of the computer system. Programmed are required to allow continuation of system functions at a changeover. On-line fault detection and selfmonitoring programmed are required to detect loss of performance of the system equipment and to provide appropriate indications and records of such failures and automatic changeover to any hot standby equipment. 7.5.2 Modification may be needed to programmed and to the system data which specifies the content of logs and displays, the alarm levels, system reference data, control and equipment protection settings. Suitable methods for including such modifications should be considered, with adequate security related to the consequence of the modification for reactor operation and control, and equipment protection. The means of administrative control, checking for corrections and recording of changes to programmed and data should be considered. 7.6 System Programmed 7.6.1 In a computer programme, the undesired or incorrect modes of operation of the programme could be due to errors of specification, errors of logic and failures of implementation and coding. Particular attention should be paid to clarity and simplicity of structure of programmed and to the documentation of the programme modules. The separation of programmed as independent modules with defined interfaces is desirable. The interaction of programme modules with each other should be considered and the system action considered in the presence of an incorrect or undesired programme module and in the presence of maltlmctions of the hardware. Appropriate self-monitoring programme features are desirable. 7.6.2 To ensure the system is adequate for the functions required, the performance should be analyzed. The programme timing, the times of execution and responses should be evaluated in relation to the desired overall system performance for different operating circumstances. This analysis may involve consideration of each programme module performance at each extreme of its input data and noise coupled with the input signal. The analysis should precede detailed implementation, if possible. 7.6.3 The programme modules and the computer programme system should be fully tested and documented before on-line operation. Verification tests of programme modules, individually and as operating groups, are necessary. Confirmation of the performance analysis by practical tests is required. Records should be kept of the test results of the programme modules and overall programme tests. The computer systems shall undergo verification and validation from competent external agency. 8 LOGGING AND RECORDING APPLICATIONS 8.1 General 8.1.1 The computer system may be used to provide records of nuclear power plant conditions. Records may be provided as output from printers on floppy disks, cassette tapes, compact disk devices or by other means. 8.1.2 Printed logs are required for assistance in: a) b) Immediate analysis of nuclear power plant performance, and Long-term analysis of nuclear power plant performance.

All logs should include nuclear power plant identification, reactor unit identity, date and time in a standardized position, provided by the direct action of the computer. A method of manual initiation of each record should be provided. When a printed log is made from a record, the form of output should be readily understandable. 8.1.3 Where very fast transients are involved (for example electrical faults) special equipment may be needed to memorize the sequence of the transient. 8.1.4 Logs may be provided for management and

IS 12772:2003 operational purposes. These may show information for daily operation reviews, shitl changeover, alarm and history record purposes. On appropriate computer systems, logs may cover long-term and short-term thermal balances, incident histories, maintenance and trends and automatic accumulation of averages of major parameters. A log of all inputs is desirable for off-line analysis and performance evaluation. 8.1.5 Where a computer system is used for nuclear power plant control, an automatically-initiated log of selected control actions and changes of control state is desirable. Where a computer is used for equipment protection, an automatic log should be made of the conditions which caused protective action to be taken. 8.2 Incident History Reviews 8.2.1 Logs may be provided to show the values of nuclear power plant measurements before, during and after selected nuclear power plant incidents. The initiation conditions for these logs should be carefully and exactly determined. Excessive amounts of output information should be avoided. The chronology should be clearly shown. Analogue trends, before and after an incident, should be recorded for significant periods related to the scan interval of each variable, and the incident, 8.3 Alarm Logs 8.3.1 Logs should be provided to show all the alarms detected by the computer system in the chronological order of detection. These should show the times of detection and the alarm identities. It can be an advantage, if alarms detected from analogue signals are recorded with the value of the associated analogue signal, or of the signal limit value. The log may be printed at routine intervals, or on demand. Alarm logs should be provided as a clear printout suitable for immediate analysis. 8.3.2 Separate logs should be provided to show all alarms that exist and any alarms or input signals which are inhibited or suppressed. 8.4 Plant State Logs 8.4.1 Logs may be required from the computer to show the condition of nuclear power plant states not indicating alarms, or the changes of these states. 9 NUCLEAR POWER PLANT MONITORING 9.1 Analogue Alarm State Monitoring 9.1.1 Provisions should be made to allow analogue and digitized signals to be checked at routine intervals chosen with reference to significant nuclear power plant transients. Provisions to allow alarms limits to be allocated to any analogue signal are desirable. 5 Special checks may be required, where an alarm limit is derived from other signals. Where alarm limits on rates of change are required, care is necessary to avoid false alarm initiation. 9.1.2 Where hysteresis or confirmation logic is included, care should be taken to avoid suppressing alarms incorrectly. 9.1.3 Alarm checks on analogue signals should be simple and direct, so that nuclear power plant operational staff understand directly the nature of the malfunction detected. The alarm should be handled in the same manner as any binary signal alarms detected by the computer system. Facilities to detect faulty input signals are desirable. 9.1.4 A means of removing individual signals which are known to be irrelevant from alarm monitoring may be an advantage. 9.2 Binary Alarm State Monitoring Provisions should be made to monitor the state of binary inputs to detect alarms states. It is desirable that a standard convention on the binary state representing an alarm is established for the nuclear power plant. Certain binary inputs may have no alarm significance, but indicate nuclear power plant states or control states. These inputs should be clearly distinguished from alarms. 9.3 Alarm Conditions Nuclear power plant can be monitored for alarms directly from an analogue signal or a binary signal, or indirectly by logic processing of such signals. The current state of alarm conditions should be stored for use by alarm log, display and analysis functions. 9.4 Alarm Analysis 9.4.1 Where many alarms can be detected by the computer system, it may be desirable that the most significant alarms arising at any nuclear power plant failure are detected and specially presented to the control operators. The method of analysis to detect the most significant alarms should be fast and simple. It is undesirable for the detection of an alarm to require an extensive programme search of other alarm conditions or extensive bulk data store system transfers. 9.4.2 Protection which may be used for alarm analysis include: a) b) Pre-defined classes of urgent and non-urgent alarms. Dynamic checks when one alarm is detected, to judge its importance compared to other existing alarms, using pre-defined criteria. Logic operations to group or deduce alarms

c)

IS 12772:2003 conditions, using pre-defined logic processes for alarms. Logic operations to condition the display of one alarm, dependent on the state of other input signals and alarms. 10.3 Trend Displays 10.3.1 Where suitable equipment is available, trend displays can provide the immediate past values of selected signals. It is desirable to show the trend as a normal graph, where time is represented by the X-axis of display and value by the Y-axis. 10.3.2 It is ergonomically preferable that the past trend displayed remain steady and that latest values are added to the right of the graph. Standardized periods of accumulation of past values at appropriate sampling rates should be chosen from considerations of nuclear power plant performance. A typical accumulation period is 30 min. Where a trend can be displayed, the computer record of past values should be available as a permanent record. 10.4 Display of Plant Schematic Diagrams 10.4.1 Where suitable equipment is available, nuclear power plant measurements and conditions can be presented in diagrammatic form. Colours and symbols can represent nuclear power plant conditions and interrelationships between nuclear power plant items may be shown in the diagrams. Considerations should be given to the method of recording the displayed information. 10.5 Alarm Displays 10.5.1 The display of alarms to nuclear power plant operators shall be rapid and simple. The display operating modes should follow as closely as possible the established sequences of conventional alarm annunciation systems. Alarm messages may be presented using a set of sequential pages. The operator should be able to turn ftom one page to an adjacent page by operation of a single control. It should be possible for the operator to obtain a permanent record of any alarm display. 10.5.2 The design should be such that the sudden detection of a large group of alarms does not adversely affect system performance or cause 10ss of alarm information. The alarm display system should be able to operate normally with any number of alarms existing on the nuclear power plant. 10.5.3 It is desirable that the display of an alarm take the form of a reference code (such as the input address) and a clear and unambiguous title. Where abbreviations are used, they should be of established use within the overall nuclear power plant nomenclature. The use of abbreviations should be minimized, but where a nuclear power plant system is normally referred to by an abbreviation, that abbreviation should then always be used. 6

d)

9.4.3 To allow for unforeseen nuclear power plant circumstances, the operator should be able to display the primary nuclear power plant conditions detected by the computer independently of the analysis process followed. This applies specially when automatic inhibition of alarms is used. 9.5 Alarm Validation and Filtering 9.5.1 The following alarm validation and filtering techniques shall be used: a) b) Con flrmatiort of alarms conditions in subsequent scanning cycles, and Filtering of alarms from parameters of equipment which are under maintenance.

10 DISPLAY SYSTEMS 10.1 General 10.1.1 Displays can be provided for control room operators and for use by specialists for flexible alphanumeric and graphical application. 10.1.2 All displays should be designed for clarity and ergonomic principles should be followed in design of the display layout. Analogue data on nuclear power plant conditions should be updated at a rate able to show nuclear power plant changes satisfactorily and alarm data should be refreshed when a change is detected. It maybe an advantage if a permanent record of any display can be made on demand. The means of modification of the display format should be considered. 10.2 Data Displays 10.2.1 Displays of data should be available to show a clear indication of each signal title and its value in appropriate units, or its state. 10.2.2 Displays should be designed by study of operation of nuclear power plant items, routine or standard operational patterns and specific parameter survey requirements. 10.2.3 Display facilities which can be advantageous are: a) b) c) d) e) f) Any analogue input; Any binary input; Auto/manual or control system states; Inputs inhibited or deleted from scans; Any output states; and Any stored information.'

IS 12772:2003 11 CALCULATIONS 11.1 Nuclear Power Plant Performance Calculations Based on the scanned data, computer systems maybe used to carry on the following computational functions: a) Reactor thermal output; b) Neutron fluence rate distribution; c) Power density distribution; d) Departure from nucleate boiling ratio (DNBR); e) Critical heat flux ratio; thermodynamic and flow f) Electrical, calculations for nuclear power plant performance; g) Turbine and other nuclear power plant items performance; h) Control rod bum-up; j) Fuel management; k) Fuel bum-up for individual fuel elements; m) Summated core fuel burning; n) Core reactivity and reactivity balance; P) Xenon-iodine poisoning predictions; q) Control rod position; r) Control strategy for load forecast plant; s) Radioactive effluent; t) Evaluation of spectrographic analysis; u) Fuel element cladding or coating failure; v) Calculations for first approach to criticality; and w) Estimation of water leak in steam generator of fast breeder reactors.
11.2 Specification of Calculations

e) f) g) h)

Formula used shall be defined; Distinction shall be made between constants (invariable) and parameters (variable); Plausibility checks for measured values shall be clearly defined; and Timing requirements should be clearly defined.

11.2.4 Consideration of the immediate value of the information required for nuclear power plant operation should be used to determine whether a calculation should be performed on-line, or on an external computer. If, calculation is required frequently during any day to maintain satisfactory operation, or if it uses the current data on the nuclear power plant, it should be done on-line depending upon the feasibility. If it is required on an infrequent basis for longer-term operation, or where the application class allows this, it may be done with an off-line computer system. If the calculation requires extensive data or records not normally or readily held in the computer system, it should be done on an external computer. 12 NUCLEAR POWER PLANT CONTROL 12.1 Sequential Control
12.1.1 A computer system can be used for automatic sequential control of nuclear power plant start-up, shutdown and standby selection and for control of sampling or sequentially scanned instrumentation systems, and for control of refueling operations.

12.1.2 Manual controls should allow isolation of nuclear power plant from the computer. A control interface system is needed to match the computer output to the control fimctions of the control room and the nuclear power plant. 12.1.3 The computer programmed should be organized into functional groups related directly to the sequential control tasks. These groups should allow independent nuclear power plant commissioning of each control task and should permit alterations to match changes to nuclear power plant characteristics. 12.1.4 The state of the nuclear power plant which is controlled should be checked by the computer to detect malfunction of the control outputs or nuclear power plant actuators. 12.2 Closed Loop Control
12.2.1 A computer can be used for control of the normal operation of nuclear power plant. The advantages are improved flexibility of control and the possibility of adaptive control.

11.2.1 Nuclear power plant performance calculations

done on-line or off-line should take into account normal instrumentation limitations.
11.2.2 A clear definition of the performance calculation should be made showing relevant formula, nuclear power plant operating conditions, parameters, signals and constants used and the purpose of the calculation.

11.2.3 In drawing up specifications for nuclear power plant performance calculations, the following aspects shall be taken into account: a) b) c) d) Results shall be reproducible; Nuclear power plant instrumentation has limited accuracy; Definition of nuclear power plant status for calculation is essential; Purpose for which calculation is intended should be clearly defined; 7

12.2.2 Particular care should be taken to determine the computer application class, by consideration of the

IS 12772:2003

control system reliability required. 12.2.3 Computer closed Ioopcontrol can be doneat two levels: a) Output of set points to normally operating control units provided with their own standby facilities external to the computer; and Output of control signals directly to nuclear power plant, with provision of a standby facility separate from the computer.

taken by the computer to acquire and process data and to output control signals.
12.2.4 The computer control system shall have provision to check the healthiness of sensor and final actuation element wherever possible and ensure bump less control transfer, if required. 12.2.5 The computer system should allow alteration of all control parameters during normal operation. These parameters may be set points, control constants and offsets. An output of all parameter values in use should be available to the operators.

b)

Particular consideration should be given to the time
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